Smarts SAM: Install of 9.2 could not get webconsole to start; Error: CRPT-F-CRYPTO_FMLF-FIPS module loading failed: The loading of the FIPS140 shared library failed for an unspecified reason
search cancel

Smarts SAM: Install of 9.2 could not get webconsole to start; Error: CRPT-F-CRYPTO_FMLF-FIPS module loading failed: The loading of the FIPS140 shared library failed for an unspecified reason

book

Article ID: 331915

calendar_today

Updated On:

Products

VMware Smart Assurance

Issue/Introduction

Symptoms:


Following installation, the webserver will not start at all and does not write a log file.
 
The tomcat service is crashing immediately on startup it and it is not even writing a logfile.

On manual startup the following errors is seen:

[May 2, 2014 7:22:24 AM AKST +138ms] t@4141684432 platform
CRPT-F-CRYPTO_FMLF-FIPS module loading failed: The loading of the FIPS140 shared library failed for an unspecified reason



This issue is caused by an OS problem and is not a Smarts issue. 

Console crashes when running commands on a Linux platform since the FIPS library fails to load. SELinux prevents the shared libraries, libcryptocme2.so and libccme_base.so from loading because of the existence of text relocation in the library.

Environment

VMware Smart Assurance - SMARTS

Cause

SELinux prevents the shared libraries, libcryptocme2.so and libccme_base.so from loading because of the existence of text relocation in the library.

Resolution

There are 3 options to work around this issue. Any of the three options should work. 


Option 1:
 

1. Run the following commands to change the file context for the shared libraries, libcryptocme2.so and libccme_base.so to textrel_shlib_t: 

chcon -t textrel_shlib_t <full dir path>/libcryptocme2.so 

chcon -t textrel_shlib_t <full dir path>/libccme_base.so 


Option 2:  To temporarily switch off enforcement

You can switch the system into permissive mode (set enforce to 0) with the following command:
 
echo 0 >/selinux/enforce
 
You'll need to be logged in as root, and in the sysadm_r role:
newrole -r sysadm_r
 
To switch back into enforcing mode:
echo 1 >/selinux/enforce
 
In Fedora Core and RedHat Enterprise Linux you can use the setenforce command with a 0 or 1 option to set permissive or enforcing mode, its just a slightly easier command than the above.

 To check what mode the system is in,
cat /selinux/enforce
 
which will print a "0" or "1" for permissive or enforcing - probably printed at the beginning of the line of the command prompt.
 
No reboot required. In fact a reboot will reset the enforcement to 1.

 
Option 3: More permanent option :

 

Edit /etc/selinux/config and set the parameter SELINUX as follows:

 
Permanently Permissive
 

If you want the system to always start in permissive mode, then here is how you do it.
In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and you will see some lines like this:
 
 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.

# strict - Full SELinux protection.
SELINUXTYPE=targeted
 
... just change SELINUX=enforcing to SELINUX=permissive, and you're done. Reboot if you want to prove it.

 
 
 
Fully Disabling SELinux
 

Fully disabling SELinux goes one step further than just switching into permissive mode. Disabling will completely disable all SELinux functions including file and process labelling.
In Fedora Core and RedHat Enterprise, edit /etc/selinux/config and change the SELINUX line to SELINUX=disabled:

 
 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted
 
... and then reboot the system.

 
 
You can RE-enable the SELinux
 
Re-Enabling SELinux

If you want to enable it again then you've got a bit of work to do. The problem will be that files created or changed when SELinux was disabled won't have the correct file labels on them - if you just reboot in enforcing mode then a lot of stuff won't work properly.
 
What you need to do is to enable SELinux by editing /etc/selinux/config (for Fedora/RedHat) or by adding selinux=1 to the kernel boot line, then boot into permissive mode, then relabel everything, and then reboot into (or simply switch to) enforcing mode.
 
After booting into permissive mode, run
fixfiles relabel
Alternatively, in Fedora and RedHat Enterprise Linux you can run
touch /.autorelabel
and reboot or put
autorelabel
on the boot command line - in both cases the file system gets a full relabel early in the boot process. Note that this can take quite some time for systems with a large number of files.
 
After relabelling the filesystem, you can switch to enforcing mode (see above) and your system should be fully enforcing again.
 


Additional Information

This information was taken from the following website: 

http://www.crypt.gen.nz/selinux/disable_selinux.html